LDAP configuration issue - Reviewboard 4.0.4

[Deviprasad Tummidi]

Hi Community Members,

I have installed Reviewboard 4.0.4 version and trying setup LDAP authentication but unable to progress.

OS : CentOS 8

ReviewBoard Version : 4.0.4

LDAP Config:

LDAP Server: ldaps://ldaps.mycompany.com:636
Use TLS for authentication: Checked
Review Board LDAP Bind Account:  my_existing_ldap_user
Review Board LDAP Bind Password: xxxxxxxx
LDAP Base DN: dc=olympus,dc=mycompany,dc=com
Username Attribute: sAMAccountName
Full Name Attribute: displayName

E-Mail LDAP Attribute: mail

tail -f /var/www/reviewboard/logs/reviewboard.log

2021-09-08 07:08:48,374 - WARNING -  - reviewboard.accounts.backends.ldap - Error authenticating with LDAP: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []}

The ldap server is pingable from my CentOS and vice versa.

Also the Reviewboard documentation is not really helpful.

Can anyone kindly help me please? 

[Christian Hammond]

Hi,

The error from python-ldap isn't always useful. However, this usually means that it either can't communicate over the configured port, or there's some other issue preventing communication. This could be SSL-related, but that should usually result in a different error.

From the Review Board server, are you able to run:

    telnet ldaps.mycompany.com 636

Does that connect and ask you for input, or does it give an error message?

Christian

--
Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "Review Board Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/39f2300e-c45e-4d70-9235-31e0de343d1fn%40googlegroups.com.

--

Christian Hammond

President/CEO of Beanbag

Makers of Review Board

[Tom Schäfer]

Hi there,

I have the same issue now and i´m wondering if there is any solution to  this.

installed Reviewboard 6.0 beta1and  tried setup LDAP authentication with LDAPS.

OS : Ubuntu 22.04.2

ReviewBoard Version : 6.0 beta1

LDAP Config:

LDAP Server: ldaps://ldaps.mycompany.com:636
Use TLS for authentication: Checked

Review Board LDAP Bind Account:  CN=my-user,OU=All Service Accounts,DC=my,DC=company

Review Board LDAP Bind Password: xxxxxxxx

LDAP Base DN: OU=All Users,DC=my,DC=company

Username Attribute: sAMAccountName
Full Name Attribute: displayName

E-Mail LDAP Attribute: mail

tail -f /var/www/reviewboard/logs/reviewboard.log

WARNING - - reviewboard.accounts.backends.ldap - Error authenticating with LDAP: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error code)'}

The ldap server is pingable and  telnet on port 636 of ldap server is also working.

Could someone help please?

[Christian Hammond]

Hi Tom,

What LDAP server software are you using?

While I’d expect a different error code here, to check, do you use self-signed SSL certs (or an in-house CA)? Is the cert still valid (not expired)?

Are there any ACLs on the LDAP server that restrict what IPs can connect to it?

Christian

To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/58acf9aa-ccd2-4734-bfe7-2d8c3f383a34n%40googlegroups.com.

--

[Tom Schäfer]

Hi Christian,

the ports to the LDAP(s) server are open, no more restrictions and we are forced to use the 636 ports from IT. We use a selfsigned certificate and on other systems we had to import the ca certificate (for example in our Jenkins server). So i figured out how i can do this in ReviewBoard and the trick seems to be that the setting in /etc/ldap/ are ignored but python-ldap settings are used instead.

If i add the certificate to the file /venv/lib/python3.8/site-packages/reviewboard/accounts/backends/ldap.py it works.

It was the following lines after line 342 or after the ldap.initialize

ldapo.set_option(ldap.OPT_X_TLS_CACERTFILE, '/site/Root_CA.crt')

ldapo.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

Then the python-ldap recognises the ca cert file and ldap is working. Not very intuitive but good enough for us now ;)

Greetings,
Tom

[Christian Hammond]

I'm glad you have a workaround, and verified the problem. We have a long-standing roadmap item to allow for selection of a SSL cert. We'll try to prioritize that for an upcoming release.

Christian

To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/74be7ba9-eb1f-487e-9802-93bc312687c1n%40googlegroups.com.

[Florian Miedniak]

Hi Tom,

quite late answer, but maybe it still helps:

I had the very same problem using Reviewboard 6.0.2 and used the workaround as showed by you, also finding it working but ugly. If finally managed to solve it by:

1. cp <special-certificate> /usr/local/share/ca-certificates/<special-certificate>

2. /usr/sbin/update-ca-certificates

3. apt-get install libldap-common

By doing so, the <special-certificate> is added to system-wide cert-store (/etc/ssl/certs/ca-certificates.crt in my case) and LDAP client is automatically configured (by /etc/ldap/ldap.conf) to look into the system-wide cert store. Afterwards, LDAP login worked again for me without changing anything inside RB's ldap.py.

Although RB might support selection of SSL certs in future, I found that solution very convenient, because it is a step towards storing the certificate in one single place, instead of having to maintain it at several places all over the OS and different applications ...

This issue is also tracked at https://hellosplat.com/s/beanbag/tickets/5023/ in order to get it fixed inside the reviewboard docker images.

Best regards,

-Florian